Operational risk: how have financial firms changed their view on OTC operational risk in the new regulatory environment?
Regulations mandated through Dodd-Frank and EMIR require banks to take an aggressive approach to automating derivative trade flows. The new regulations require firms to increase their process complexity in order to meet new reporting requirements and deadlines. Firms are finding that to meet these new requirements, operational risk and control departments must evolve from passive reporting functions to dynamic issue-resolution based departments. Richard Mitcham and James Field discuss how these functions are evolving and how firms can respond effectively to future regulatory-driven change.
Operational risk exposure and related capital requirements were introduced by the Basel II regulatory regime, first published in June 2004. The Basel II framework permitted three approaches to operational risk capital adequacy. Only one of these approaches was reliant on actual fail, break and loss data.
Two of the approaches, Basic Indicator and Standardised Basel II, used historic annual gross income as a proxy for the operational risk of an organisation. Hence there was no requirement for operations control and operational risk functions to support the capital requirement with data. Only those companies that adopted the third approach, Basel II Advanced Measurement, faced the requirement to capture, analyse and validate data covering fails, breaks and operational losses. These companies used data to model potential operational loss distributions.
Typically, banks have evolved separate operational control functions and operational risk functions. Operational control functions manage core controls such as cash and stock reconciliations. These functions capture data on disaggregated controls such as operational balance sheet substantiation and trade confirmation as well as capturing operational losses. Operational risk functions typically make use of operations control data to support risk assessments, loss projections and capital calculations.
There is currently more regulatory scrutiny of control effectiveness, which is in part driven by some of the high profile control breakdowns seen with events such as the LIBOR scandal. As a result, senior management in banks are driving operations control functions towards a more dynamic, responsive and holistic approach to control oversight.
The pre-regulatory environment:
Prior to the implementation of Dodd-Frank and EMIR regulations, control over OTC derivative trades and portfolios was exercised through a variety of controls, as described in Figure 1. These processes were not scalable, duplicative and untimely. Some of those pre-regulatory controls included:
- Bilateral validation of transaction documentation;
- Reconciliation of derivative cash-flows at settlement date; and
- Review of collateral values derived through mutual periodic mark-to-market processes.
The post-regulatory environment
Central clearing has resulted in major changes to processing and reporting flows. The benefits of clearing include improved transparency of trade pricing and reduced systemic risk. However, this design approach has implications for the OTC processing and control framework. For example, in the new environment:
- The trade life-cycle process has many more data flows – mainly in the reporting requirements to regulators;
- The complexity of the transaction processing and control environments has increased;
- Additional control points and reconciliations are needed to ensure that the data being used by each participant is, and remains, aligned; and
- The speed of control framework implementation required by the regulators is leading to tactical implementations and duplicative processes by industry participants.
In the post-regulatory environment the trade life-cycle is more transparent however there are more processes required to achieve this transparency. Portfolio reconciliation is a good example of the post-regulatory complexity of operational control.
Dodd-Frank and EMIR require regular reconciliation of trade portfolios between market participants. This requirement ensures that all parties to the trade have accurately captured the trade attributes and the life-cycle of the trade events such as novations and amendments. Logistically, this requirement has proved challenging for participants. To presume that trade data reported from the end of the trade life-cycle matches the data recorded at the front end is a poor assumption as in many cases the downstream data cannot be relied upon.
Figure 2 shows that the trade life-cycle, although more transparent, has become more complex and resource intensive. The control environment now also extends outside of individual banks and market participants due to the use of utilities. Operational control has holistically evolved to be market-wide, rather than internally focused on the trade life-cycle of an individual firm.
It is not only OTC derivative regulation that is causing pressure on operational risk. There are new regulations already in place such as CASS and Living Wills, as well as Target2 Securities and MiFID reporting that will present challenges to operational risk managers.
Principle 8 of the Basel III Sound Principles for Liquidity and Risk Management states, “A bank should actively manage its intraday liquidity positions and risks to meet payment and settlement obligations on a timely basis under both normal and stressed conditions…” This new regulatory requirement will have a major impact on the operational control of cash management as it will force the matching of payments and receipts on a real-time basis. Firms will need to improve their timeliness of identifying and addressing settlement breaks.
EMIR has introduced a greater level of client money segregation. Improved segregation provides greater protection for clients and central counterparties (CCP’s) in the event of a participants’ collapse. However, the need to segregate in a more detailed and complex manner places a greater strain on operations departments.
Target2 Securities (T2S)
T2S aims to reduce the complexity of cross-border securities settlement within Europe. Every country has its own central securities depositary, which requires institutions to interface to depending on which security needs to settle. Whilst the new platform may reduce the risks that affect settlement of cross-border transactions, the revised flows will leave business architects struggling to simplify the already complex and regionally fragmented system architecture.
Simplification of control environment
The new OTC derivative regulations require mass movement of data and will create major operational breaks and risk. As such, the market must look at ways to simplify and streamline data processes. Possible solutions include:
- The use of shared services to manage common controls. For example, a single industry shared service for inter-depository reconciliations to provide a common set of break data to depositories, market participants and regulators;
- The re-use of control data from the same control point. For example, bilateral portfolio reconciliations through the use of pre-existing depository reconciliation and inter-depository reconciliation break reporting; and
- A common source of client reference data allowing buy-side participants to supply their data once and sell-side participants to access the data from a single source, supporting the provision of UTIs, settlement and processing static data across the industry.
Operational risk management continues to evolve. Historically, the focus of a firm on operational risk was inward facing with slow reactive monitoring and limited outside liaison. However, operational risk management has now become more dynamic, with a more holistic industry-wide reach.
The future of effective operational control lies in simplification, consolidation and the reduction of duplication. The increased use of central industry utilities will reduce control complexity and therefore increase overall control. The electronic affirmation of OTC derivatives was a good example of where the adoption of a utility reduced complexity but increased overall control.
As the processes evolve there will be a natural progression from traditional operational functions towards more risk management and compliance control infrastructure. In the future, operations control functions will process trading businesses, as well as overseeing fully automated, multi-locational, industry connected functions. Monitoring and dynamic testing will become key objectives of operations control personnel, whilst in-depth compliance expertise will underpin the future design of support infrastructure.